That script should be running unless the script engine is not available
and from previous information provided that seems to be the case.
The server is using Java 7 which uses "Mozilla Rhino" as the JavaScript
engine.
Try setting the engine to "Mozilla Rhino".
Note though that Rhino and Nashorn are not (strictly) compatible so the
script might not work (or work as intended) without changes.
Best regards.
On 20/10/15 09:57, Andrea Bettio wrote:
> Zap.log
>
> *2015-10-20 09:21:22,827 [main ] INFO DaemonBootstrap - OWASP ZAP 2.4.2
> started.*
> *2015-10-20 09:21:23,554 [main ] INFO ENGINE - dataFileCache open start*
> *2015-10-20 09:21:23,566 [main ] INFO ENGINE - dataFileCache open end*
> *2015-10-20 09:21:24,195 [main ] INFO AbstractParam - Setting config
>
script.scripts.name = F5_base was F5_base*
> *2015-10-20 09:21:24,196 [main ] INFO AbstractParam - Setting config
> script.scripts.file = /app/nets/ZAP_2.4.2/scripts/F5_base.js was
> /app/nets/ZAP_2.4.2/scripts/F5_base.js*
> *2015-10-20 09:21:24,196 [main ] INFO AbstractParam - Setting config
> script.scripts.enabled = true was true*
> *2015-10-20 09:21:24,197 [main ] INFO AbstractParam - Setting config
> script.scripts.engine = Oracle Nashorn was Oracle Nashorn*
> *2015-10-20 09:21:24,197 [main ] INFO AbstractParam - Setting config
> script.scripts.type = proxy was proxy*
> *2015-10-20 09:21:24,200 [main ] INFO SSLConnector - Reading supported
> SSL/TLS protocols...*
> *2015-10-20 09:21:24,200 [main ] INFO SSLConnector - Using a SSLEngine...*
> *2015-10-20 09:21:24,622 [main ] INFO SSLConnector - Done reading
> supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]*
> *2015-10-20 09:21:24,624 [main ] INFO OptionsParamCertificate - Unsafe
> SSL renegotiation disabled.*
> *2015-10-20 09:21:24,644 [ZAP-daemon] INFO ExtensionFactory - Loading
> extensions*
> *2015-10-20 09:21:26,100 [ZAP-daemon] INFO ExtensionFactory -
> Extensions loaded*
> *2015-10-20 09:21:26,656 [ZAP-daemon] INFO FilterFactory - loaded
> filter Change user agent to other browsers. *
> *2015-10-20 09:21:26,657 [ZAP-daemon] INFO FilterFactory - loaded
> filter Detect insecure or potentially malicious content in HTTP responses.*
> *2015-10-20 09:21:26,657 [ZAP-daemon] INFO FilterFactory - loaded
> filter Detect and alert 'Set-cookie' attempt in HTTP response for
> modification.*
> *2015-10-20 09:21:26,657 [ZAP-daemon] INFO FilterFactory - loaded
> filter Avoid browser cache (strip off IfModifiedSince)*
> *2015-10-20 09:21:26,657 [ZAP-daemon] INFO FilterFactory - loaded
> filter Log cookies sent by browser.*
> *2015-10-20 09:21:26,657 [ZAP-daemon] INFO FilterFactory - loaded
> filter Log unique GET queries into file:filter/get.xls*
> *2015-10-20 09:21:26,658 [ZAP-daemon] INFO FilterFactory - loaded
> filter Log unique POST queries into file: filter/post.xls*
> *2015-10-20 09:21:26,658 [ZAP-daemon] INFO FilterFactory - loaded
> filter Log request and response into file: filter/message.txt*
> *2015-10-20 09:21:26,658 [ZAP-daemon] INFO FilterFactory - loaded
> filter Replace HTTP request body using defined pattern.*
> *2015-10-20 09:21:26,658 [ZAP-daemon] INFO FilterFactory - loaded
> filter Replace HTTP request header using defined pattern.*
> *2015-10-20 09:21:26,658 [ZAP-daemon] INFO FilterFactory - loaded
> filter Replace HTTP response body using defined pattern.*
> *2015-10-20 09:21:26,658 [ZAP-daemon] INFO FilterFactory - loaded
> filter Replace HTTP response header using defined pattern.*
> *2015-10-20 09:21:26,659 [ZAP-daemon] INFO FilterFactory - loaded
> filter Send ZAP session request ID*
> *2015-10-20 09:21:26,880 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionViewOption*
> *2015-10-20 09:21:26,882 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionEdit*
> *2015-10-20 09:21:26,882 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionFilter*
> *2015-10-20 09:21:26,882 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Provides a rest based API for controlling and accessing ZAP*
> *2015-10-20 09:21:27,006 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionState*
> *2015-10-20 09:21:27,007 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionHistory*
> *2015-10-20 09:21:27,009 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Show hidden fields and enable disabled fields*
> *2015-10-20 09:21:27,010 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Search messages for strings and regular expressions *
> *2015-10-20 09:21:27,011 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Encode/Decode/Hash...*
> *2015-10-20 09:21:27,011 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Allows you to intercept and modify requests and responses*
> *2015-10-20 09:21:27,017 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Passive scanner*
> *2015-10-20 09:21:27,076 [ZAP-daemon] INFO ExtensionPassiveScan -
> loaded passive scan rule: Script passive scan rules*
> *2015-10-20 09:21:27,077 [ZAP-daemon] INFO ExtensionPassiveScan -
> loaded passive scan rule: Application Error Disclosure*
> *2015-10-20 09:21:27,077 [ZAP-daemon] INFO ExtensionPassiveScan -
> loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP
> Header Set*
> *2015-10-20 09:21:27,077 [ZAP-daemon] INFO ExtensionPassiveScan -
> loaded passive scan rule: Content-Type Header Missing*
> *2015-10-20 09:21:27,077 [ZAP-daemon] INFO ExtensionPassiveScan -
> loaded passive scan rule: Cookie No HttpOnly Flag*
> *2015-10-20 09:21:27,078 [ZAP-daemon] INFO ExtensionPassiveScan -
> loaded passive scan rule: Cookie Without Secure Flag*
> *2015-10-20 09:21:27,078 [ZAP-daemon] INFO ExtensionPassiveScan -
> loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion*
> *2015-10-20 09:21:27,078 [ZAP-daemon] INFO ExtensionPassiveScan -
> loaded passive scan rule: Web Browser XSS Protection Not Enabled*
> *2015-10-20 09:21:27,079 [ZAP-daemon] INFO ExtensionPassiveScan -
> loaded passive scan rule: Secure Pages Include Mixed Content*
> *2015-10-20 09:21:27,079 [ZAP-daemon] INFO ExtensionPassiveScan -
> loaded passive scan rule: Password Autocomplete in Browser*
> *2015-10-20 09:21:27,079 [ZAP-daemon] INFO ExtensionPassiveScan -
> loaded passive scan rule: Private IP Disclosure*
> *2015-10-20 09:21:27,080 [ZAP-daemon] INFO ExtensionPassiveScan -
> loaded passive scan rule: Session ID in URL Rewrite*
> *2015-10-20 09:21:27,080 [ZAP-daemon] INFO ExtensionPassiveScan -
> loaded passive scan rule: X-Content-Type-Options Header Missing*
> *2015-10-20 09:21:27,080 [ZAP-daemon] INFO ExtensionPassiveScan -
> loaded passive scan rule: X-Frame-Options Header Not Set*
> *2015-10-20 09:21:27,182 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Allows you to view and manage alerts*
> *2015-10-20 09:21:27,183 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Active scanner, heavily based on the original Paros active
> scanner, but with additional tests added*
> *2015-10-20 09:21:27,232 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Spider used for automatically finding URIs on a site*
> *2015-10-20 09:21:27,237 [ZAP-daemon] INFO ExtensionLoader -
> Initializing A set of common popup menus for miscellaneous tasks*
> *2015-10-20 09:21:27,237 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Forced browsing of files and directories using code from
> the OWASP DirBuster tool*
> *2015-10-20 09:21:27,238 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionManualRequest*
> *2015-10-20 09:21:27,239 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Allows ZAP to check for updates*
> *2015-10-20 09:21:27,239 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Compares 2 sessions and generates an HTML file showing the
> differences*
> *2015-10-20 09:21:27,240 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Invoke external applications passing context related
> information such as URLs and parameters*
> *2015-10-20 09:21:27,241 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Handles anti cross site request forgery (CSRF) tokens*
> *2015-10-20 09:21:27,242 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionAuthentication*
> *2015-10-20 09:21:28,319 [ZAP-daemon] INFO ExtensionAuthentication -
> Loaded authentication method types: [Form-based Authentication,
> HTTP/NTLM Authentication, Manual Authentication, Script-based
> Authentication]*
> *2015-10-20 09:21:28,320 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Creates a dynamic SSL certificate to allow SSL
> communications to be intercepted without warnings being generated by the
> browser*
> *2015-10-20 09:21:28,354 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Logs errors to the Output tab in development mode only*
> *2015-10-20 09:21:28,354 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionUserManagement*
> *2015-10-20 09:21:28,355 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Summarise and analyse FORM and URL parameters as well as
> cookies*
> *2015-10-20 09:21:28,355 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Script integration*
> *2015-10-20 09:21:28,373 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Scripting console, supports all JSR 223 scripting languages*
> *2015-10-20 09:21:28,374 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionForcedUser*
> *2015-10-20 09:21:28,375 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Extension handling HTTP sessions*
> *2015-10-20 09:21:28,376 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Zest is a specialized scripting language from Mozilla
> specifically designed to be used in security tools*
> *2015-10-20 09:21:28,527 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionDiff*
> *2015-10-20 09:21:28,527 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionRequestPostTableView*
> *2015-10-20 09:21:28,527 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Simple browser configuration*
> *2015-10-20 09:21:28,528 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionSessionManagement*
> *2015-10-20 09:21:28,669 [ZAP-daemon] INFO ExtensionSessionManagement -
> Loaded session management method types: [Cookie-based Session
> Management, Http Authentication Session Management]*
> *2015-10-20 09:21:28,670 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionHttpPanelRequestFormTableView*
> *2015-10-20 09:21:28,670 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Capture messages from WebSockets with the ability to set
> breakpoints.*
> *2015-10-20 09:21:28,674 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Summarise and analyse FORM and URL parameters as well as
> cookies*
> *2015-10-20 09:21:28,675 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionAuthorization*
> *2015-10-20 09:21:28,675 [ZAP-daemon] INFO ExtensionLoader -
> Initializing AJAX Spider, uses Crawljax*
> *2015-10-20 09:21:28,678 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Handles adding Global Excluded URLs*
> *2015-10-20 09:21:28,678 [ZAP-daemon] WARN ExtensionGlobalExcludeURL -
> GlobalExcludeURL.optionsLoaded()*
> *2015-10-20 09:21:28,678 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Adds menu item to refresh the Sites tree*
> *2015-10-20 09:21:28,678 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Adds support for configurable keyboard shortcuts for all of
> the ZAP menus.*
> *2015-10-20 09:21:28,678 [ZAP-daemon] INFO ExtensionLoader -
> Initializing OWASP ZAP User guide*
> *2015-10-20 09:21:28,679 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionReport*
> *2015-10-20 09:21:28,679 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Allows you to configure which extensions are loaded when
> ZAP starts *
> *2015-10-20 09:21:28,679 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionHttpPanelComponentonentAll*
> *2015-10-20 09:21:28,679 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionHttpPanelHexView*
> *2015-10-20 09:21:28,679 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionHttpPanelImageView*
> *2015-10-20 09:21:28,680 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionHttpPanelLargeRequestView*
> *2015-10-20 09:21:28,680 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionHttpPanelLargeResponseView*
> *2015-10-20 09:21:28,680 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionHttpPanelRequestQueryCookieTableView*
> *2015-10-20 09:21:28,680 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionHttpPanelSyntaxHighlightTextView*
> *2015-10-20 09:21:28,681 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Active Scan Rules*
> *2015-10-20 09:21:28,681 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Provides WebDrivers to control several browsers using
> Selenium and includes HtmlUnit browser.*
> *2015-10-20 09:21:28,682 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Translations of the core language files*
> *2015-10-20 09:21:28,682 [ZAP-daemon] INFO ExtensionLoader -
> Initializing The Online menu links*
> *2015-10-20 09:21:28,682 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Provides the foundation for concrete message types (for
> example, HTTP, WebSockets) expose fuzzer implementations.*
> *2015-10-20 09:21:28,683 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Allows to fuzz HTTP messages.*
> *2015-10-20 09:21:28,684 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Tips and Tricks*
> *2015-10-20 09:21:28,684 [ZAP-daemon] INFO ExtensionLoader -
> Initializing The ZAP Getting Started Guide*
> *2015-10-20 09:21:28,684 [ZAP-daemon] INFO ExtensionLoader -
> Initializing ExtensionSaveRawHttpMessage*
> *2015-10-20 09:21:28,685 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Quick Start panel *
> *2015-10-20 09:21:28,685 [ZAP-daemon] INFO ExtensionLoader -
> Initializing Passive Scan Rules*
> *2015-10-20 09:21:49,361 [ZAP-ProxyThread-18] INFO
> ExtensionHttpSessions - Added new session token for site 'irmweb:8283':
> JSESSIONID*
> *2015-10-20 09:21:49,411 [ZAP-ProxyThread-18] INFO HttpSessionsSite -
> Created a new session as no match was found: HttpSession [name=Session
> 0, active=false, tokenValues='']*
> *2015-10-20 09:24:50,374 [ZAP-ProxyThread-34] INFO
> ExtensionHttpSessions - Added new session token for site
> 'prorepprod:8081': JSESSIONID*
> *2015-10-20 09:24:50,384 [ZAP-ProxyThread-34] INFO HttpSessionsSite -
> Created a new session as no match was found: HttpSession [name=Session
> 1, active=false, tokenValues='']*
>
> I have simplified the script to mininal to understand what is the problem.
>
> F5_base.js
>
> *function proxyRequest(msg) { *
> * return true*
> *}*
> *
> *
> *function proxyResponse(msg) {*
> * return true*
> *}*
> *
> *
> *After call url the status script is KO:*